ISO/IEC 42007 and ISO/IEC 17067: A New Framework for AI Conformity Assessment Schemes

Meta description: ISO/IEC 42007 introduces a new framework for developing AI conformity assessment and certification schemes under ISO/IEC 17067. Here’s what the standard covers, how it connects to ISO/IEC 42001, and what it means for the accreditation community — from NAC’s perspective.

As AI systems move rapidly into critical infrastructure, healthcare decisions, financial scoring, and autonomous mobility, the question “can we trust this system?” has to be answered not just technically but in a way that can be certified. That’s where the international standardization community steps in, under ISO/IEC JTC 1/SC 42, with a new framework taking shape: ISO/IEC 42007.

In this post, we’ll walk through what this developing standard covers, why it’s positioned as a companion to ISO/IEC 17067, and what it strategically means for accreditation bodies and conformity assessment bodies (CABs).

A Quick Refresher on ISO/IEC 17067

ISO/IEC 17067 is the international standard that lays out the fundamentals of product certification and provides guidance on how certification schemes should be designed. It classifies product certification schemes into Types 1a, 1b, 2, 3, 4, 5, and 6 — each with its own combination of testing, sampling, surveillance, and market monitoring.

Put simply: 17067 defines the skeleton of a certification scheme. The “muscle” wrapped around that skeleton depends on the nature of the product or service being certified. For traditional products, the scheme is relatively easy to define. For AI systems, which continuously learn, depend on data quality, and behave differently across contexts, the picture becomes far more complex.

What Is ISO/IEC 42007?

ISO/IEC 42007, formally titled “Information technology — Artificial intelligence — High-level framework and guidance for the development of conformity assessment schemes for AI systems,” is designed to fill exactly this gap.

Its core purpose is to provide practical guidance to organizations that want to develop AI-specific certification and conformity assessment schemes within the ISO/IEC 17067 framework. In other words, 42007 doesn’t replace 17067 — it extends and adapts it to the AI context.

The standard is currently at the DIS (Draft International Standard) stage, developed by ISO/IEC JTC 1/SC 42 (the joint AI committee of ISO and IEC) in close collaboration with ISO CASCO experts. Multiple national accreditation bodies and conformity assessment specialists are contributing to the drafting process — an international consistency that will be critical if AI certification is to sit on a globally recognized, mutually acceptable foundation.

Why a Companion to ISO/IEC 17067?

AI systems diverge from traditional products in several critical ways:

  • They aren’t static. Model behavior shifts with training data and updates over time.
  • They’re context-sensitive. The same model can behave safely in one domain and produce biased outcomes in another.
  • They demand lifecycle certification. “Certify once and forget” doesn’t apply; ongoing surveillance, re-evaluation, and incident handling become non-negotiable.

These differences make the direct application of classic Type 5 or Type 6 schemes insufficient. ISO/IEC 42007 is being written to close that gap — guiding scheme designers on AI-specific risk classification, evidence requirements, re-evaluation triggers, and stakeholder governance.

Its Place in the ISO/IEC 42000 Family

ISO/IEC 42007 shouldn’t be read in isolation. It belongs to a family:

  • ISO/IEC 42001 — AI Management System standard (organization-level management framework)
  • ISO/IEC 42005 — AI system impact assessment
  • ISO/IEC 42006 — Additional requirements to ISO/IEC 17021-1 for bodies certifying AI management systems
  • ISO/IEC 42007 — Framework for developing conformity assessment schemes for AI systems

The distinction matters: 42006 answers the question “what should the certification body itself do?” on the management system side. 42007 answers “how should the certification scheme itself be designed?” on the product/system side. Blurring the two leads to serious scope confusion in accreditation applications.

What It Means for Accreditation Bodies and CABs

Once ISO/IEC 42007 is published, its impact will be felt across three layers:

For accreditation bodies: Certification bodies accredited under ISO/IEC 17065 that operate AI certification schemes will need to be assessed against a combined reference of 17067 and 42007. That means new assessment criteria layered onto existing accreditation documentation.

For certification bodies: Any CAB developing a new AI certification scheme, or extending an existing one to cover AI systems, will find its blueprint in 42007. Scheme ownership, rule committees, impartiality safeguards, and technical competence requirements will all be explicitly defined.

For industry and regulators: With a growing wave of national and regional AI regulations around the world, demand for accredited certification as proof of compliance will accelerate. ISO/IEC 42007 will ensure that the schemes meeting this demand are built on an internationally consistent foundation.

NAC’s Perspective

As a U.S.-based accreditation body that is both an ILAC MRA signatory and a Global ACI MRA signatory and full member, NAC views AI conformity assessment as one of the most consequential accreditation frontiers of the coming decade. This dual recognition ensures that certificates issued by NAC-accredited bodies are mutually accepted across global markets. Accreditation of bodies certifying against ISO/IEC 42001 — under the 42006 framework — is already on our roadmap. Once 42007 is finalized, a concrete accreditation pathway will also open for CABs pursuing product- or system-level AI certification.

Getting ready before the standard is officially published matters. Organizations that align their scheme documentation, assessor competence matrices, and technical committee structures with the current 42007 draft expectations now will save significant time later.

Closing Thoughts

ISO/IEC 42007 is on track to become one of the foundational building blocks of trust infrastructure in the AI era. By combining the solid skeleton of ISO/IEC 17067 with guidance tailored to the dynamic nature of AI, it offers regulators, industry, and the conformity assessment ecosystem a shared language.

At NAC, we’re tracking this development closely and will keep our accredited organizations and prospective AI-certification CABs informed as the standard progresses toward publication.